Data and privacy

A photobooth handles customer photos and (sometimes) money in a public venue. This article explains what BoothIQ actually stores, what's synced where, and what your obligations might be to your customers.

Who this is for: Operators in regulated venues, operators with privacy-sensitive customers, or operators who just want to know what's happening with the data.

Warning
This article is operator guidance, not legal advice. Privacy law varies by country, state, and venue. If you have specific legal requirements (GDPR, CCPA, COPPA, sector-specific rules), consult a lawyer.

What BoothIQ stores on the kiosk

The booth's local SQLite database stores:

  • Sales transactions. Revenue tracking, your audit trail
  • Credit transactions. Money-in / money-out audit trail
  • Hardware status history. Diagnostics
  • Admin user accounts (passwords are hashed). Authentication
  • Master password usage records. Audit
  • Templates and categories. Customer experience
  • Settings. Business config

The database is at C:\ProgramData\BoothIQ\photobooth.db. It's not directly accessible to operators (the kiosk is locked down) but it persists across reboots and reinstalls.

What about customer photos?

Customer photos handling depends on your settings:

  • Save captured photos: OFF (default). Photos are kept long enough to print, then discarded
  • Save captured photos: ON, USB connected. Photos are saved to the USB drive after each session
  • Save captured photos: ON, no USB. Photos may be saved to local storage or held in memory; the USB warning banner in admin reminds you to plug a USB drive in

You manage this in Settings tab → Photo Storage card.

Note
Photos are not synced to the cloud by default. Only if you explicitly enable Photo Backup as a cloud feature (see Cloud features).

What about customer email addresses?

If your booth collects customer email addresses (for sending photos, marketing, etc.), they're stored in the transaction record in the database. The exact behavior depends on whether your booth has email collection enabled and how it's configured.

Note
As described in this version of the docs, BoothIQ does not have a built-in "email the photo to the customer" feature. If your booth has been customized to collect emails, talk to your BoothIQ point of contact about what happens to those addresses.

What gets synced to the cloud

When the booth is registered to the cloud and online:

Synced to cloud:

  • Sales transactions (including any customer email if collected)
  • Credit transactions
  • Heartbeats (with current credit balance, mode, status)
  • Hardware status changes
  • Operational metrics
  • Logs (on demand, when support requests them)

Not synced to cloud (by default):

  • Customer photos (unless you enable Photo Backup)
  • Local admin passwords (only the hashes stay on the kiosk)
  • Hardware fingerprints (these are truncated to 16 characters before being sent. The cloud doesn't get the full hardware ID)
  • Detailed individual usage patterns beyond what's needed for sales reporting

Privacy notices for customers

If your venue or jurisdiction requires you to tell customers what's happening with their data, consider posting a notice near the booth that includes:

  • What you collect: "We take photos of you for printing. We do not store your photos after printing unless you tell us otherwise."
  • What's stored: "Sales records (price paid, time of session, product) are kept for accounting purposes."
  • What's shared: "Sales records may be sent to our cloud platform for monitoring. Your photos are not."
  • Your contact: Your business name and contact info if customers want to ask questions.

Wording depends on your jurisdiction. A lawyer can help if you need a formal notice.

GDPR / CCPA / similar

If you operate in jurisdictions with strong privacy laws:

  • Right to access. A customer can request a copy of their data. The most useful data you have is the transaction record (with their email if collected). Look it up in the Sales tab and export it as CSV.
  • Right to deletion. A customer can request you delete their data. The booth doesn't have a built-in customer deletion flow; you may need to manually delete transaction rows from the database (talk to support. Operators can't reach the database directly on a locked-down kiosk).
  • Data minimization. Only collect what you need. If you don't need customer emails, don't enable email collection. If you don't need to save photos, leave the Save captured photos setting off.

These laws are complex. Consult a lawyer if you have specific compliance requirements.

Where the database lives

For your awareness (not for hands-on access):

  • Database file: C:\ProgramData\BoothIQ\photobooth.db
  • Logs: C:\ProgramData\BoothIQ\Logs\
  • Application files: C:\Program Files\BoothIQ\

You cannot reach these paths from the locked-down kiosk. If you need a copy of the database for a privacy-related request, contact support.

What customers should NOT find on the booth

Things that should never be visible or accessible from a customer's perspective:

  • Your admin password. Hidden behind the 5-tap and login flow
  • Other customers' photos. Not saved by default
  • Other customers' email addresses. Only in admin-side reports
  • The cash box contents. Physically locked
  • Sales totals. Only in admin
  • Logs and error details. Only in admin

If a customer can see any of these, your booth has been misconfigured. Fix it immediately and report to support.

Data retention

The local database retains data forever by default. There's no automatic cleanup. If you want to purge old data:

  • Export sales to CSV first (so you have a backup). See Exporting sales data.
  • Contact support for database cleanup procedures. Direct database editing is not exposed to operators.

For most operators, the database stays small enough that purging isn't necessary.

What to do if there's a data breach

If you discover (or suspect) a breach. Kiosk stolen, kiosk compromised, customer data exposed. Do this:

  1. Take the booth out of service immediately.
  2. Contact BoothIQ support. They can help with the technical side.
  3. Determine what was exposed. Was the kiosk physically taken? Were credentials leaked? Was the cloud account compromised?
  4. Notify affected customers if your jurisdiction requires it (most do for personal data breaches).
  5. Notify your venue and any business stakeholders.
  6. Document everything. When you discovered it, what you did, who you notified.
  7. Reset passwords on the cloud account, regenerate API keys, and re-register the booth.

A lawyer is your friend here.

Privacy-friendly defaults to consider

If you don't need a feature, turn it off:

  • Save captured photos: OFF unless you specifically need to retain photos.
  • Email collection: not enabled unless you have a clear reason and a privacy notice.
  • Photo backup to cloud: not enabled unless you specifically need cloud photo storage.
  • Cloud sync: enabled is fine for most operators because it doesn't sync photos by default. Just transactions.

Verify your privacy posture

You're being a responsible custodian of customer data when:

  • You only collect what you need
  • Customer photos are not retained unless necessary
  • Cloud sync is configured to match your privacy goals
  • You have a privacy notice posted at the booth (if your jurisdiction requires one)
  • You know who to contact if a customer requests their data

Next steps

  • Settings tab. Where you control the photo storage setting.
  • Cloud features. Photo Backup is opt-in.
  • For developer-level security details, see the developer documentation.